CVE-2026-0155

Vulnerability

The vulnerability resides in the ImsMediaBitReader::ReadByteBuffer function of the IMS media component on Google Pixel devices. It is an out-of-bounds (OOB) read due to a missing bounds check. Affected devices are those running Android security patch levels before 2026-06-05, as addressed in the June 2026 Pixel Update Bulletin [1].

Exploitation

An attacker can trigger this OOB read remotely without any user interaction or additional execution privileges. No authentication or special network position is required; the attacker can exploit the vulnerability over the air or via a crafted message processed by the vulnerable IMS media component.

Impact

Successful exploitation leads to remote information disclosure. The attacker can read out-of-bounds memory, potentially exposing sensitive data from the device's kernel or other processes. The impact is limited to information disclosure; the vulnerability does not provide code execution or privilege escalation [1].

Mitigation

Google released a fix as part of the 2026-06-05 security patch level. All supported Pixel devices should update to this patch level or later to mitigate the vulnerability. The fix is included in the June 2026 Pixel Update Bulletin [1].